Log in

Posts Tagged ‘breach notification’

Poor IT security measures lead to data theft in Citigroup Japan

August 26th, 2011

Another cyber attack on Citigroup

Hackers love Citigroup and they waste no time in finding loopholes to hack into their system. They have done it again but in a different way. This is not an online hack but an offline one.

This time they have illegally accessed personal information of 92,408 Citigroup Inc. credit card customers in Japan and sold this info to third parties. This is a clear indication that banks are vulnerable to cyber attacks and need to beef up their security.

Customer account numbers, names, addresses, phone numbers, birth dates, account-opening dates and gender information were stolen hacked into. Thankfully, personal identification numbers and card security codes were safe.

So far, no unauthorized use of the cards had been reported by the end of business on Aug. 5, the Kyodo News reported.

Citi is getting in touch with all customers affected by the theft and plans to reissue cards at the customer’s request. It further added that customers won’t be responsible for fraudulent transactions on their accounts.

Who is the perpetrator this time?

According to Citigroup Japan, the system was hacked by a third-party vendor that had been given access to Citi’s internal systems.

Avivah Litan, a distinguished analyst at Gartner, sums up in exact words ”This is a CIO’s worst nightmare,”. “I am sure Citi is not sitting around and twiddling its thumbs as the hackers gain the upper-hand. However, it does prove what a leaky sieve most large banks and corporations are when it comes to protecting customer data. There are so many points of compromise that it’s very difficult for them to thwart all potential attacks.”

Customers have started worrying as cyber criminals are getting better and better in their online attacks stealing private information and documents. They are not fully able to trust the big companies who are handling their money and credit card information.

Citi has been a constant target of hackers

In 2006, Citi’s system had been breached through a third party, giving away corporate banking information. Citi had to take the step of blocking PIN-based transactions for customers in Canada, Russia, and the United Kingdom. This was a followed by an incident in June where the FBI arrested a former Citi executive who allegedly embezzled more than $19 million from the bank and its customers.

About Citigroup

Citigroup is a leading global financial services company housing 200 million customer accounts and operating in more than 140 countries. Through Citicorp and Citi Holdings, Citi provides consumers, corporations, governments and institutions with a broad range of financial products and services, including consumer banking and credit, corporate and investment banking, securities brokerage, and wealth management.

Protect yourself with Alertsec

Organisations are now made aware about their data security and are implementing data encryption techniques. Alertsec uses encryption software to protect data from breaches and theft.

Alertsec Xpress is backed up by Check Point Full Disk Encryption and is used by over 4 million users worldwide, with single deployments exceeding 150,000 laptops and PCs. This is the most deployed software of its kind and is seen as today’s market leader.

No comments »

Posted in Computer security, Data Protection, Hackers, Identity and Information loss, Uncategorized, computer security software, data breach, data encryption, identity theft

Tags: breach notification data breach data encryption data security Enter your zip code here identity theft

Unauthorized person breaks into Purdue University’s computer system

August 23rd, 2011

Data of former students accessed illegally

First it was the gaming sites, followed by big corporations like NASA, later it was the healthcare industry and now its time for educational institutes to get their data breached !

Hackers hacked big time into Purdue University’s server which contained the personal information, including Social Security numbers and course records, of more than 7,000 former Purdue University students. These students had enrolled into a Math course.

The breach

The breach took place on April 5, 2010. As soon as the Purdue staff learned about it, they took the server offline. The notification came 16 months after the discovery of the breach.

The server contained 6.6 million nine-digit numbers in the hacked files. It took Purdue six months to analyze those numbers. After analysis Purdue determined that approximately 65,000 of those number combinations could be Social Security numbers. The numbers were further reanalyzed and the University matched 7,093 of those number combinations to Social Security numbers of former students.

The computer showed older course records from 2000 through the summer session of 2005.

Not only ex- students but a few professors, family members and contractors were potentially affected. A letter was sent to those affected stating a toll-free phone number for inquiries at 866-520-0492

Breach investigation

Investigation by Purdue University officials showed that 7,093 Social Security numbers were accessed by the hacker.

According to Laszlo Lempert, head of the Department of Mathematics ”Through our investigation, we found no evidence that the unauthorized user attempted to find or read any files with personal information in our system, but felt informing people who may have been affected was a necessary precaution,” . “We regret the breach occurred, and we’ve taken extensive measures to prevent this from happening again.”

As per Purdue University policy, Social Security numbers are no longer used except where required by law. A Purdue identification number is issued to all students, alumni, faculty and staff.

Security tips by Purdue

Place a fraud alert on your credit file, if you haven’t already done so.
Close accounts that you believe have been tampered with.
File a complaint with the Federal Trade Commission. For step-by-step instructions and contact information, go to: http://www.ftc.gov/bcp/edu/microsites/idtheft/

AlertSec’s security services

Organisations and educational institutes which contain a large amount of data have to have an information security policy in place that proves they have taken necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Alertsec Xpress’s Check Point Full Disk Encryption is used by over 4 million users worldwide.

To protect information on laptops with encryption is of paramount importance if you want to comply to today’s legislation, not to mention the peace of mind for people managing security for a mobile workforce. We have found Alertsec Xpress to be secure, yet easy to use and implement.

No comments »

Posted in Computer security, Data Protection, computer security software, data breach, data encryption

Tags: breach notification Check Point Colleges and Universities computer encryption software Computer security data data breach data security Doctor of Philosophy Education Enter your zip code here Indiana NASA Purdue University Social Security number United States

Sony’s mainstay insurance provider refuses to accept liability for damages and compensation

July 25th, 2011

Battle between Sony and Insurer Zurich American Insurance Co. over Playstation hacks

After reading this piece of news you might wish you were not a PlayStation Network (PSN) user!

Sony’s mainstay insurance provider, Zurich American Insurance Co., is refusing to accept liability for damages and compensation regarding the recent hacks where 77 million PSN customer accounts were compromised.

The insurance provider has filed legal papers covering a total of 55 pending class-action lawsuits that customers have lodged against Sony.

The firm has brushed off its responsibility of covering data breach monetary damages as well as any other miscellaneous claims made by Sony.

History

Sony’s PlayStation Network and Qriocity networks were compromised in the month of April. According to their statement “An external intrusion on our system has affected our PlayStation Network and Qriocity services. In order to conduct a thorough investigation and to verify the smooth and secure operation of our network services going forward, we turned off PlayStation Network & Qriocity services,”

On Tue April 26 Sony confirmed that personal data of millions of customers had been compromised.

On Wed April 27 a class-action lawsuit was filed in the U.S. accusing Sony of failing to protect, encrypt and secure the private and sensitive data of its users.

Present

Nevertheless, Sony has gone ahead and filed insurance claims as it feels it is a fair coverage under previously agreed upon terms.

According to Sony the financial loss from the breaches is more than $178 million this year. The Japan based firm wants the insurer to cover costs related to the 55 class-action lawsuits under a general liability insurance policy written by Zurich.

Customer reactions and cyber risks

Customers are furious about their loss of privacy and waiting for settlements. It is time to redefine cyber security and the legalities there in. Companies are under the impression that general liability insurance covers everything. According to Ty Sagalow, an insurance consultant and founder of Innovation Insurance Group, “There are probably still some risk managers out there that think that their comprehensive general liability policy cover breaches,” says Sagalow, who was one of the main experts in charge of first drafting cyberinsurance policies for Zurich when he worked for the company prior to starting his own consulting shop. “These types of cyberevents are not covered in the typical standard forms of insurance.”

Cyber insurance

Cyber insurance is the insurance which covers loss occurred over the internet . The phenomenon is a recent one and yet to stabilize. Hence organizations like Sony must take into account adding additional coverage that can hold up to court scrutiny when things go haywire.

How can Alertsec help in cases of data breach?

Alertsec Xpress is the security service that protects data stored on your PC. As laptops are used in place of desktops, chances of data getting hacked are more. Unless your laptop is encrypted, you are running a big risk of your data getting compromised.

Encryption software helps enhance the laptop security. Alertsec uses industry leading Check Point Full Disk Encryption (former Pointsec) software that simplifies data protection.

No comments »

Posted in Data Protection, Encryption, Hackers, Identity and Information loss, Uncategorized, identity theft

Tags: breach notification Class action Computer security data breach data security data theft prevention Enter your zip code here Games insurance Liability insurance PlayStation 3 PlayStation Network Qriocity security Sony United States Video game Zurich

A major hacking attack on Pentagon

July 18th, 2011

The dept. of defense unveils a new cyber security program

The U.S. Defense Department yesterday made a startling revelation. It admitted becoming a victim of a massive cyber-attack and also announced a new strategy to deal with online threats to national security.

The story

Hackers belonging to a foreign government broke into a Pentagon contractor’s computer system and stole 24,000 files in late March. They wanted access to files related to missile tracking systems, unmanned aerial vehicles and the Joint Strike Fighter.

According to William J. Lynn III, deputy defense secretary, the U.S. government knew what country the hackers belonged but refused to comment in the interest of diplomatic discretion. The breach coincided with the Thursday announcement of the Pentagon’s latest cyber-security initiative.

The program has been designed to proactively discourage cyber-criminals. It is the final step in the Obama administration’s push to secure U.S. military and civilian online networks. The plan consist of “five pillars” which outline the Pentagon’s general goals, for example classifying cyberspace as a military “operational domain,” like land, sea, air and space. Military personnel are being trained to deal with cyber-security issues.

“It is a significant concern that over the past decade terabytes of data have been extracted by foreign intruders from corporate networks of defense companies,” Lynn said.

The cyber-security program

The U.S. government wanted to make sure that cases like Sony and Citigroup where the companies informed their users very late about the breach, don’t happen again.

The cyber security program has been jointly created by the Defense Department and department of homeland security. This pilot program is called Defense Industrial Base Cyber-Pilot and is used to share classified information with defense contractors and commercial ISPs.

Under this program the government won’t be monitoring, intercepting or storing any private-sector communications. The goal is to collect the threat intelligence and use it to identify and stop malicious activity within their networks.

In addition, the Pentagon will integrate cyber-scenarios into military exercises and training. The Defense Department also plans to set up cyber-capabilities in the Reserve and National Guard.

Cyberspace has been listed as the “fifth domain” of warfare, after air, land, sea and space in the 13-page unclassified document that was released with the speech.

Defense department’s reaction

More than 60,000 “new malicious software programs or variations are identified every day, threatening our security, our economy and our citizens,” Defense Secretary Leon Panetta said in a statement.

“Our assessment is that cyber-attacks will be a significant component of any future conflict, whether it involves major nations, rogue states or terrorist groups,” Lynn said

The other side of the coin

“The reality is this is really a document focused on cybersecurity efforts, which are not unimportant, but it’s only one or two slices of the pizza,” said Dr. Dan Kuehl of the National Defense University. “Where’s the DoD’s strategy for the use of cyberspace to influence operations?”

Plan cyber-security with Alertsec

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

No comments »

Posted in Data Protection, Hackers, data breach, data encryption

Tags: breach notification computer encryption software Computer security Cyberwarfare data breach data security Enter your zip code here Leon Panetta Obama administration Pentagon United States United States Department of Defense William J. Lynn III

WellPoint fined $100,000 for breach

July 12th, 2011

Indiana State files lawsuit against data breach

Health insurer WellPoint (Indiana-based) has to settle a fine of $100,000 to for a data breach that involved the personal information like name, date of birth, address, Social Security number, telephone number, e-mail address, and health and financial information of 32,000 Indiana customers.

Why?

The reason for the fine is because it waited for long before informing Indiana officials of a security breach that involved personal information of 32,000 members. It has also been asked to reimburse affected parties up to $50,000 as part of the settlement reached with the Indiana Attorney General. In addition it has to provide up to two years of credit monitoring and identity theft protection services to affected customers.

“This case should be a teaching moment for all companies that handle consumers’ personal data: If you suffer a data breach and private information is inadvertently posted online, then you must notify the attorney general’s office and consumers promptly,” Zoeller, Indiana Attorney General, said. “Early warning helps minimize the risk that consumers will fall victim to identity theft.”

What happened?

Personal information was compromised at least 137 days between October 2009 and March 2010. According to the suit WellPoint learned of the problem Feb. 22, 2010, but didn’t inform the clients until June. The Indiana state law also required that the Attorney General’s office be immediately notified but Wellpoint failed to do so.

The lawsuit

The Indiana Attorney General lawsuit alleged that member information was accessible from Oct. 23, 2009 till March 8, 2010. It stated further that WellPoint received written notification from Sarah Groveunder, a consumer, about the breach but failed to contact her till Mar 4. WellPoint started informing affected consumers only from June 18 and did not finish notifications until July 30.

What is surprising is that warning letters to a total of 47 companies were sent since the 2009 law went into effect for being slow to notify authorities about breaches. “Many companies keep vast quantities of consumers’ personal data and they are required to handle it confidentially and not carelessly. That’s not just good business practice; that’s the law,” Zoeller said in a statement

Security

According to Legal Newsline the site was immediately secured. WellPoint issued the following statement soon after the settlement: “Anthem Blue Cross and Blue Shield is committed to protecting the privacy and security of our members’ and applicants’ personal information. We have implemented I.T. security changes to ensure that this situation will not happen again, and we have received no indication that any information that may have been accessed has been used inappropriately.

How can Alertsec help?

Thus in the absence of full disk encryption, privacy of consumers gets compromised. It is vital to use Data encryption software in order to keep our data safe from breaches. Data security and recovery software is the need of the hour. $13/month is certainly a small price to pay compared to what can happen if you lose confidential or sensitive data. Alertsec Xpress offers a very good and easy-to-use laptop security service that includes more than the traditional software licensing model.